Contents

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
Purchase the Vizio CoStar LT media player at Amazon

Disassembly

UART

Exploiting The Vizio CoStar LT For Root

On booting the Vizio CoStar LT's bootloader checks for a "FS.sys" and a "safe-kernel.Img1" file on a FAT32 formatted thumb drive.

"FS.sys" - This file is a u-boot script file. This is a text file with u-boot commands in it compiled with mkimage. The exact compilation arguments for mkimage are as follows.

Restart the Vizio CoStar LT by unplugging and re-plugging in the power adapter.

After the kernel boots it will drop your UART connection to a root shell.

NOTE: hijacking the kernel init stops the kernel prior to it running crucial scripts. In most cases you will need to finish running the scripts within /etc/init.d prior to being able to access the entire file system.

Gaining Persistent Root Access
After gaining root from the above method you can gain persistent root access by having the device boot a telnet root shell (or your choice of server) on boot. To do this you must find a write-able file on the device that is called on boot.

Lucky for us "/etc/commonStart.sh" is just that file. You can modify this file to do anything you'd like to happen on each boot.

For example adding:

telnetd -l /bin/sh

after "#!/bin/sh" will start a telnet server on each boot.

If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"

Demo

U-Boot Env

Below is the u-boot environment output from the "printenv" u-boot command.